|
Joined: Jun 2006
Posts: 346
enthusiast
|
enthusiast
Joined: Jun 2006
Posts: 346 |
How did you get past the untaint check? at CGIPath/ubb_profile.cgi line 1142.
This can be confirmed on an unmodified 6.7.2 board (mine)
|
|
|
|
Joined: Jun 2006
Posts: 16,366 Likes: 126
|
Joined: Jun 2006
Posts: 16,366 Likes: 126 |
Confirmed on my 6.7.2 modified forum; it's kinda fun to add more/less "0's" to the address bar for the user number; it gets past in either direction.
|
|
|
|
Joined: Jul 2006
Posts: 2,143
Pooh-Bah
|
Pooh-Bah
Joined: Jul 2006
Posts: 2,143 |
This is the designed behavior - you didn't actually pass in a valid eight digit user number. The code intentionally does not forcefully mangle the number.
|
|
|
|
Joined: Jun 2006
Posts: 16,366 Likes: 126
|
Joined: Jun 2006
Posts: 16,366 Likes: 126 |
Wouldn't it instead make more sense to state "you have not entered a valid 8 digit member id" vs "you have bypassed the taint check"?
|
|
|
|
Joined: Jul 2006
Posts: 2,143
Pooh-Bah
|
Pooh-Bah
Joined: Jul 2006
Posts: 2,143 |
There are no conditions in which an invalid link can be generated to that page. The error isn't meant to be user-friendly, as it's one of those "this can't happen" errors.
|
|
|
|
Joined: Jun 2006
Posts: 16,366 Likes: 126
|
Joined: Jun 2006
Posts: 16,366 Likes: 126 |
Yeh, but there are many ways that a user can mess a direct link to that page up in a sig/post then whine that the board has a bug lol
|
|
|
0 members (),
1,875
guests, and
47
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|